A Deep Dive into the Verizon 2020 Data Breach Investigations Report

SpyCloud's deep dive into the Verizon Data Breach Investigations Report (DBIR). For the 4th year in a row, stolen credentials are the top hacking tactic.

Each year, Verizon does extensive research into the massive and growing data breach phenomenon. This year marks the 13th anniversary of this ongoing project. Is that a bad omen for the security of our data? 

Let’s dive into what the Verizon 2020 Data Breach Investigations Report team saw across 3,950 confirmed data breaches over the course of the last year (a 96% increase from the previous year, which examined 2,013 breaches!).

Stolen credentials are the top hacking tactic – for the fourth year running.

Stolen credentials remain the #1 hacking tactic used by malicious actors to perpetrate data breaches, as has been the case since the 2017 DBIR. Over 80% of breaches classified as “Hacking” involve brute force or the use of stolen credentials. (Out of all breaches, 37% either used or stole credentials.)

As per the report: “At a high level, Hacking can be viewed as falling into three distinct groups: 1) those utilizing stolen or brute-forced credentials; 2) those exploiting vulnerabilities; and 3) attacks using backdoors and Command and Control (C2) functionality.” 

Users would be wise to never reuse passwords across their many online accounts. Password reuse is a major factor in credential stuffing attacks. The simplest solution for us users: leverage a password manager to generate and store a unique complex password for each account.

Some organizations experienced billions of credential stuffing attempts per year. 

Credential stuffing is a growing cybersecurity problem. That’s when a username or password for one service is breached, and attackers try those credentials with other services. It often works because people reuse passwords. 

According to Verizon, the reported number of attempts organizations reported experiencing per year ranged from thousands to billions. The median number of attempts these organizations experienced per year was 922,331. 

As Verizon puts it, “Criminals are clearly in love with credentials, and why not since they make their jobs much easier?” 

Watch the webinar: How Credential Stuffing Tools Are Made

 

Stolen credentials stick around and cause long-term damage. 

With a 96% increase in the number of breaches analyzed by the Verizon team this year, it’s clear that credential leaks aren’t slowing down – and there’s an obvious question that arises:

“‘Do credential leaks lead to more credential stuffing?’ We took a look at a dataset of credential leaks and compared it to the credential stuffing data we had…We found basically no relationship between a credential leak and the amount of credential stuffing that occurred the week after. Instead it appears to be a ubiquitous process that moves at a more or less consistent pace: Get a leak, append to your dictionary, continue brute forcing the internet. Rinse, repeat.”

Threat actors are always conducting credential stuffing attacks, not just after a reported data breach. Constant vigilance is key (think: continual, proactive credential monitoring for your users).

Even this year’s top malware variant focuses on credential theft.

Even within the 17% of breaches that involved malware, Verizon calls out credential theft: “Our Malware findings further reinforce the trends of phishing and obtaining credentials with regard to breaches.” The report explains that this year’s top malware variant is password dumpers, malware that extracts passwords from infected systems. 

Some of the modular malware that advanced persistent threat groups develop are designed to acquire credentials that are stored on targeted computers, or involve keyloggers which acquire credentials as users enter them. (SpyCloud often recovers logs from botnets that collect this type of data.)

Watch the webinar: I Put a Keylogger on You, And Now You’re Mine


Now that we’ve examined some micro trends regarding the use of stolen credentials, let’s back up and look at some of the higher level trends from the report.

The majority of data breaches are caused by malicious actors, with 45% involving hacking. 

Data breaches are largely caused by malicious actors (just over 70%); accidents are only a minor factor. 45% of breaches involve hacking, which is defined in the VERIS framework used in the report as “all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, denial of service attacks, etc.” Errors were casual events in 22% of breaches. 22% involved social attacks, which are cyber attacks that involve social engineering and phishing. Phishing – making fake websites, emails, text messages, and social media messages to impersonate trusted entities – is still a major way that sensitive authentication credentials are acquired illicitly. Another 17% of breaches involved malware, as discussed above.

When it comes to accidents, just 8% of breaches involved misuse by authorized users, and physical actions were noted in only 4% of breaches (like when users leave USB sticks and optical discs with sensitive data in open areas where malicious actors can acquire them).

70% of breaches are caused by external actors.

External actors are cyber attackers who don’t belong to the organizations victimized in the breaches. Organized criminal groups (no, not the “mafia”) were involved in 55% of breaches. They’re mainly external cyber attack groups, but they could also sometimes bribe or socially engineer an organization’s insiders for their lucrative access. 

30% involve internal actors. This set of breaches includes accidents caused by insiders, internal cyber attackers wanting revenge on their employers, socially engineered internal victims, etc. 

Only 4% of breaches had 4 or more attacker actions, meaning that most data breaches were caused by simpler sequences of events. Only 1% of breaches involve multiple parties. So for the most part, breaches are caused by a single party, which could be an organized crime group, advanced persistent threat group, or an individual external or internal actor. The trend of successful breaches being carried out by single entities with <4 actions suggests that organizations still have a long way to go to improve their security measures.

72% of breaches involved enterprise victims – and users pay the price. 

Large businesses were victims in 72% of breaches. These included the financial services we rely on, our favorite online service companies, and well-known brand names across many industries. 58% of victims had personal data compromised, including social security numbers, phone numbers, email addresses, government ID numbers, credit card numbers, and personal home addresses. The average consumer is paying more than $290 in out-of-pocket costs and spending 16 hours to resolve the effects of this data loss and the resultant account takeover.

The other 28% of breaches involved small businesses. In many ways, companies like Shopify and Stripe have made it much easier for small businesses to operate online. But they too need to be vigilant about protecting their users’ sensitive PII. Often the problem is in their own implementations and not in the service platforms they use.

86% of breaches were financially motivated. 

This isn’t surprising – there’s a lot of money to be made selling breached data, and even more to be made in the first few months after the breach, when criminals carry out all manner of targeted attacks to derive profit, using tactics like phishing, SIM swapping, blackmail, and extortion.

In the appendix, the report notes that “simple greed” is the driver for most cybercriminals (despite all the media coverage that national security-related breaches get). They profit by:

    • Draining financial accounts
    • Making fraudulent purchases
    • Holding systems hostage through ransomware
    • Sending fraudulent invoices in business email compromise schemes

Regarding that last point, it’s important to note that fraudulent invoice scams are now the most common BEC attack affecting organizations and their vendors (according to a Gartner, Protecting Against Business Email Compromise Phishing, March 2020). The Financial Crimes Enforcement Network reports that the average transaction amount for BECs impersonating a vendor or client invoice was $125,439 – 2.5x the amount garnered for (still very lucrative) CEO impersonation scams, which net on average $50,373. Cash is still king in the world of cybercrime.

The 2020 DBIR expanded its coverage of industry-specific trends. Let’s take a look at some of them.

Industry Trends: Financial Services & Insurance

Unsurprisingly, the financial services sector, including banks, credit unions, credit card companies, mortgage brokers and insurance companies, is a major target of data breaches. The nature of their business – housing easily monetized data (both funds and sensitive information on individuals and businesses) – presents a massive opportunity to cyber attackers.

    • 11% of the confirmed data breaches analyzed in the report (448) impacted this sector.
    • Web applications and human error were factors in most of the breaches, to an almost equal degree. The report notes, “It is a bit disturbing when you realize that your employees’ mistakes account for roughly the same number of breaches as external parties who are actively attacking you.”
    • 64% of the threat actors were external, and 35% of the threat actors were internal to their organizations – roughly equal to the 70/30 average split across all industries.
    • Phishing was a common social attack type, and most of the attacks were perpetrated via email (rather than by phone, for example).
    • Regarding malware attacks, financial services is 1 of the 3 most affected industries when it comes to botnets; Verizon references “tens of thousands of incidents” affecting this sector.

Industry Trends: Public Administration

    • Just shy of 9% of the breaches analyzed in the report (346) impacted public administration (i.e. government entities).
    • Web applications were a top pattern, and human error (misconfiguration, misdelivery of information) was noted as a major factor in 92 of the breaches.
    • Insider threat appears to be a greater problem for government than other industries: 59% of threat actors were external, and 43% of threat actors were internal. 
    • Ransomware is a big problem for this sector (by far the most common type of malware, noted in 61% of the malware cases), leveraged by financially motivated attackers.

Industry Trends: Retail

    • 3.6% of the breaches analyzed in the report (146) impacted retailers. 
    • Unsurprisingly, 99% of attacker motives were financial, and 75% of threat actors were external vs. 25% internal.
    • Point of Sale-related breaches are on the decline for the second year in a row; as shoppers transition to online commerce, so do attackers. “Card not present” fraud is now the focus of their efforts.
    • The use of stolen credentials was the top hacking variety for breaches in this industry, which is plagued by credential stuffing attacks. As the report states, “it is not likely that people who have so many keys (credentials) will stop trying them on whatever locks they can find.” Retailers that store financial information and customer PII are worth the effort, and as such, personal and payment data were the top types of stolen data.

Industry Trends: Professional, Scientific and Technical Services

    • 8.2% of the breaches analyzed in the report (326) impacted this industry, which is comprised of lawyers, accountants, architects, research labs and consulting firms – companies that, the reports notes, depend on their internet presence.
    • Unsurprisingly then, the highest attack pattern for this industry was Web Applications, which is classified as anything that has a web application as the target (i.e. SQL injections) and attacks against authentication, such as the use of stolen credentials. 
    • The motive was overwhelmingly financial (93%), the attackers external (75%), and the data compromised largely personal (75%). The report notes that this personal information “can be quite lucrative for different kinds of financial fraud, hence the attraction.”

Conclusion

The Verizon Data Breach Investigations Report is something the security industry looks forward to every year, not to dwell on the problem of data breaches, but to examine the changing tactics of criminals over time. SpyCloud’s research reveals many of the same insights across the billions of breach assets collected and analyzed across thousands of breaches each year – actionable data that enables SpyCloud customers to proactively lock criminals out of accounts and circumvent their efforts to profit from stolen data. 

As a tactic, the fact that the use of stolen creds has grown over time says that criminals will take the path of least resistance, and as long as the average user keeps reusing passwords, and organizations allow simple, easy-to-guess passwords (ignoring NIST password guidelines), the trend will likely continue.

Want to discuss what you’ve seen in the Verizon 2020 DBIR? Contact Us.

Want to learn more about SpyCloud’s proactive breach notifications? Schedule a Demo.

Stop exposures from becoming account breaches.